summaryrefslogtreecommitdiff
path: root/f3s/git-server
diff options
context:
space:
mode:
authorPaul Buetow <paul@buetow.org>2026-01-09 11:13:28 +0200
committerPaul Buetow <paul@buetow.org>2026-01-09 11:13:28 +0200
commit48a8499a2b919e28045c896cd8553d90bb3b875b (patch)
tree8079af8b392f3c8f19ae653a69ed311c38f8ac79 /f3s/git-server
parent36b631ff8f1fb454164f448bfd0cd0e8707bb6af (diff)
Fix SSH host keys and container security
- Generate SSH host keys at runtime via entrypoint script - Remove fsGroup security context to fix emptyDir permissions - Allow cgit to initialize cache directory as root
Diffstat (limited to 'f3s/git-server')
-rw-r--r--f3s/git-server/docker-image/Dockerfile16
-rw-r--r--f3s/git-server/helm-chart/templates/deployment.yaml4
2 files changed, 10 insertions, 10 deletions
diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile
index 382ad0d..574a94b 100644
--- a/f3s/git-server/docker-image/Dockerfile
+++ b/f3s/git-server/docker-image/Dockerfile
@@ -9,15 +9,19 @@ RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \
mkdir -p /home/git/.ssh /repos && \
chown -R git:git /home/git /repos
-# Generate SSH host keys
-# These will be regenerated if not persisted via volume mount
-RUN ssh-keygen -A
-
# Copy sshd configuration
COPY sshd_config /etc/ssh/sshd_config
+# Create entrypoint script to generate host keys at runtime
+RUN echo '#!/bin/sh' > /entrypoint.sh && \
+ echo 'if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then' >> /entrypoint.sh && \
+ echo ' ssh-keygen -A' >> /entrypoint.sh && \
+ echo 'fi' >> /entrypoint.sh && \
+ echo 'exec /usr/sbin/sshd -D -e' >> /entrypoint.sh && \
+ chmod +x /entrypoint.sh
+
# Expose SSH port
EXPOSE 22
-# Run SSH daemon in foreground with error logging to stderr
-CMD ["/usr/sbin/sshd", "-D", "-e"]
+# Run entrypoint script
+CMD ["/entrypoint.sh"]
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml
index 0446725..b74a5fc 100644
--- a/f3s/git-server/helm-chart/templates/deployment.yaml
+++ b/f3s/git-server/helm-chart/templates/deployment.yaml
@@ -15,10 +15,6 @@ spec:
labels:
app: git-server
spec:
- # Allow both git (1000) and www-data (33) to access shared files
- securityContext:
- fsGroup: 1000
-
containers:
# Container 1: SSH Git Server
- name: git-server
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-08 11:23:18 +0000